Cybersecurity researchers have known as consideration to a “huge marketing campaign” that has systematically focused cloud native environments to arrange malicious infrastructure for follow-on exploitation.
The exercise, noticed round December 25, 2025, and described as “worm-driven,” leveraged uncovered Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, together with the not too long ago disclosed React2Shell (CVE-2025-55182, CVSS rating: 10.0) vulnerability. The marketing campaign has been attributed to a menace cluster referred to as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce).
TeamPCP is thought to be lively since at the very least November 2025, with the primary occasion of Telegram exercise courting again to July 30, 2025. The TeamPCP Telegram channel at present has over 700 members, the place the group publishes stolen knowledge from various victims throughout Canada, Serbia, South Korea, the U.A.E., and the U.S. Particulars of the menace actor had been first documented by Beelzebub in December 2025 underneath the title Operation PCPcat.
“The operation’s targets had been to construct a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate knowledge, deploy ransomware, conduct extortion, and mine cryptocurrency,” Flare safety researcher Assaf Morag stated in a report printed final week.
TeamPCP is alleged to operate as a cloud-native cybercrime platform, leveraging misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and susceptible React/Subsequent.js functions as major an infection pathways to breach trendy cloud infrastructure to facilitate knowledge theft and extortion.
As well as, the compromised infrastructure is misused for a variety of different functions, starting from cryptocurrency mining and knowledge internet hosting to proxy and command-and-control (C2) relays.
Relatively than using any novel tradecraft, TeamPCP leans on tried-and-tested assault strategies, reminiscent of current instruments, identified vulnerabilities, and prevalent misconfigurations, to construct an exploitation platform that automates and industrializes the entire course of. This, in flip, transforms the uncovered infrastructure right into a “self-propagating legal ecosystem,” Flare famous.
Profitable exploitation paves the best way for the deployment of next-stage payloads from exterior servers, together with shell- and Python-based scripts that hunt down new targets for additional enlargement. One of many core parts is “proxy.sh,” which installs proxy, peer-to-peer (P2P), and tunneling utilities, and delivers numerous scanners to constantly search the web for susceptible and misconfigured servers.
“Notably, proxy.sh performs surroundings fingerprinting at execution time,” Morag stated. “Early in its runtime, it checks whether or not it’s working inside a Kubernetes cluster.”
“If a Kubernetes surroundings is detected, the script branches right into a separate execution path and drops a cluster-specific secondary payload, indicating that TeamPCP maintains distinct tooling and tradecraft for cloud-native targets relatively than counting on generic Linux malware alone.”
A quick description of the opposite payloads is as follows –
- scanner.py, which is designed to search out misconfigured Docker APIs and Ray dashboards by downloading Classless Inter-Area Routing (CIDR) lists from a GitHub account named “DeadCatx3,” whereas additionally that includes choices to run a cryptocurrency miner (“mine.sh”).
- kube.py, which incorporates Kubernetes-specific performance to conduct cluster credential harvesting and API-based discovery of sources reminiscent of pods and namespaces, adopted by dropping “proxy.sh” into accessible pods for broader propagation and organising a persistent backdoor by deploying a privileged pod on each node that mounts the host.
- react.py, which is designed to take advantage of the React flaw (CVE-2025-29927) to realize distant command execution at scale.
- pcpcat.py, which is designed to find uncovered Docker APIs and Ray dashboards throughout massive IP deal with ranges and robotically deploy a malicious container or job that executes a Base64-encoded payload.
Flare stated the C2 server node positioned at 67.217.57[.]240 has additionally been linked to the operation of Sliver, an open-source C2 framework that is identified to be abused by menace actors for post-exploitation functions.
Knowledge from the cybersecurity firm exhibits that the menace actors primarily single out Amazon Internet Providers (AWS) and Microsoft Azure environments. The assaults are assessed to be opportunistic in nature, primarily concentrating on infrastructure that helps its targets relatively than going after particular industries. The result’s that organizations that run such infrastructure grow to be “collateral victims” within the course of.Â
“The PCPcat marketing campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, knowledge theft, and monetization constructed particularly for contemporary cloud infrastructure,” Morag stated. “What makes TeamPCP harmful isn’t technical novelty, however their operational integration and scale. Deeper evaluation exhibits that the majority of their exploits and malware are primarily based on well-known vulnerabilities and frivolously modified open-source instruments.”
“On the similar time, TeamPCP blends infrastructure exploitation with knowledge theft and extortion. Leaked CV databases, id data, and company knowledge are printed by means of ShellForce to gas ransomware, fraud, and cybercrime repute constructing. This hybrid mannequin permits the group to monetize each compute and data, giving it a number of income streams and resilience towards takedowns.”
